Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "The NYT is reporting that the Largest DDoS in history reached 300 Gbps. The dispute started when the spam-fighting group Spamhaus added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time. Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so. The attacks were first mentioned publicly last week by Cloudflare, an Internet security firm in Silicon Valley that was trying to defend against the attacks and as a result became a target."

The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam.

I think what they meant to say here was: "The dispute started when the spam-fighting group Spamhaus, which maintains a blacklist used by e-mail providers to weed out spam, added the Dutch company Cyberbunker to its blacklist."

I wonder if anyone can calculate the environmental impact of sending all those DDOS packets? Overall can it be claimed that spam and botnets are having an appreciable impact on the economy by wasting all that energy required to transmit all those pointless packets?

"I just got a packet from A.B.C.D on interface ethX, if I had to send a packet to A.B.C.D would I use ethX?"

If the answer is yes, then the packet goes along its merry way. If the answer is no, then the packet is most likely spoofed and is dropped.

The performance impact is negligible as such lookups for the destination are already fully optimized by ASICs (hence a cisco 7600 with a measly 300Mhz processor can still route gigabit at wire speed), multi-path is a non-issue (assuming a non-brain dead implementation) as if multiple paths exist the answer to the question would still be yes as long as it came from one of the valid paths.

There might be valid reasons for asymmetric traffic which may prevent this from being universally deployed (say some satellite providers which only send download via satellite and upload is over something else) but for the vast majority of ISPs its safe to deploy.

At the ASN level each ISP is assigned a block of ips, if you are not a transit its a simple matter of just filtering to ensure nothing leaving your network is saying otherwise. Once you hit transit links both this scheme and RPF lose their power as depending on the failure almost any transit link can be a valid path. For such a scheme to work it has to be implemented as close to the end point as possible (which is the general structure of the Internet, intelligence sits near the edge where traffic volumes are reasonable, core is dedicated to just high speed movement of traffic).

The complaint is that the traffic resulting from the computers participating in the botnet that is behind this DDoS attack is sufficient, from wherever it is, to knock off legitimate use. As the bots can be anywhere, some are in the US. Those bots are causing grief for Netflix users.

Just a badly written article. The attack was a spoofed attack on DNS root servers (I think - badly written article) that reflected back toward Spamhaus. This would cause disruptions to DNS and to Spamhaus. By extension, the huge amount of traffic seems to be slowing down just about everything.

Don't know when this started, but I was watching Netflix on Monday and got 2 dots instead of my usual 4 and I'm in the Midwest US.

Cutting their communication lines was the first thing I thought of too. Then cutting their power lines. I may not have enough cofee in me to calm me down this morning but visions of the Dirty Dozen [wikipedia.org] dumping fuel and grenades into their bunker came to mind. }:D

Cutting their communication lines was the first thing I thought of too. Then cutting their power lines. I may not have enough cofee in me to calm me down this morning but visions of the Dirty Dozen [wikipedia.org] dumping fuel and grenades into their bunker came to mind. }:D

If Carnival Cruise Lines have taught us anything, just back up their toilets. They'll be out in a jiffy.

That is not a SWAT team, those guys would be better armed and a little more bullet proof. This is just Dutch police in riot gear, of which these woven bamboo shields are a standard component. According to an ME (riot police) buddy, the bamboo shields are pretty good, lighter than the more common plastic shields, and more flexible, meaning they are better at deflecting thrown objects. The only disadvantage is that they do not stand up well to stab weapons, which has not really been an issue until a group of squatters defended themselves with iron pipes with large spikes capable of puncturing these shields.

You have obviously never seen the ME in operation; I have, it was not pretty. I especially liked the skill with which on of the mounted leant really low in the saddle to beat his stick on the heads of two women treating an unconscious man.

Heh, if true that is funny. I have some doubts as to the veracity of the story though, if a SWAT team wants in, in it is going to get. Unless the Dutch have them walking the beat or something and this is the SWAT equivalent of checking the doorhandles.

What materials exactly are they that are going to resist 4500 C cutting tools? You realize that a lot of bunkers are largely concrete, and that a thermal lance will go right through that, right? And that no bunker would completely withstand a nuclear blast-- it would take some damage, there is just sufficient material and the blast is sufficiently spread out that the bunker stands.

Once you start focusing with a lance on a bunker door, or break out a bunker-buster bomb designed to penetrate before exploding (rather than the mid-air explosion of a nuclear bomb), the bunker will fall.

One is directed and sustained, the other is not. Heck, the most powerful nuclear fusion explosion in the solar system hits the front door of that facility daily, but you can do more damage with a pen knife because the sun's rays aren't directed.

The misconception here is that there are materials being used which can stand next to a nuclear blast and take no damage. Bunkers are generally concrete, and have doors; those can be breached by thermal lances (used in construction) and by strong explosives, or by bunker-buster bombs.

But, there will surely be a salvage company in a nearby town with the tools to break through the door. GG(g?)P's most valid point is that fortifications aren't going to hold unless you can keep people on the outside from dismantling them. Somehow I doubt the guys inside are going to start shooting and they sure as heck are not going to be getting relieved by an outside force. Give it a day or two, and this will be resolved. If I were a betting man I'd say the guys inside just open the door before it goes to

All it takes to breach any bunker is a jackhammer. The big jackhammers mounted on heavy construction equipment eat through concrete and rebar with impressive speed - making a hole at several inches per minute.

Most concrete slabs can be removed by punching a few holes around the piece you don't like, then just knocking it a few times with the full weight of the excavator, shattering the concrete slab. If the bunker wall is a single concrete slab many feet thick, you'd just tamp some small explosives into the hole, remove a foot or so of concrete, then repeat.

Carving a roadway out of a granite cliff face is very low tech and well understood these days, and just making a hoe a few feet across in a thick concrete slab is in fact something that any construction demolitions company could do pretty easily with common equipment.

The bunker is meant to be self-sustaining for 10 years. The SWAT is not going to do a multi-year seige to get in there. So, yes, while they can't stay in there forever a SWAT would not breach it. Otherwise it would be worthless for its purpose.

So?

Cut the internet and maybe power connections, berm over the air handlers, and pave where applicable and forget about it.

I doubt the nerds inside have the capability of getting OUT from under a D9 created mound of debris.

When their parents call because junior hasn't been eating the hot pockets placed mommy the top of the basement stairs they'll figure out who is in there, and who to send the bill to.

Seriously though, if I were a CLEC or any other data provider I would have shut them off saying "breech

you do realize that a bullet proof vest doesn't work well against knives even though a bullet contains a lot more force than a typical knife attack.

a similar idea applies to this bunker. yes it can take a nuclear blast, however that doesn't make it indestructible by any means. any determined foe with direct access to the facilities will eventually get in. the main thing that makes the bunker nuclear proof is really thick concrete, and that is rather simple to break up, heck we do it every day on various

Call me skeptical, but I am not so sure that a) SWAT teams have round leather shields, b) all members of the team raise their shields int the very same moment, c) they all wear gas masks but no firearms, but hold batons in their hands although nobody is in sight, d) a camera from within the bunker is so nicely positioned to take a picture of the team. Could it be a nice publicity gimmick instead?

I don't know..I'm not a combat engineer, but I don't think any bunker can last long if determined professionals are allowed to freely operate outside it. "nuclear bunker" means certain things about tolerance to over pressure, shock, contaminated air, etc., but doesn't do all that much against people with jackhammers and drills. The wikipedia page says the cyberbunker has 5 meter thick reinforced concrete walls, which would probably keep you and me out, but I'm sure can be defeated in time with civil engineering equipment. Beyond that, if you've got guys who know what they're doing poking around outside the bunker, there's whole worlds of things they can do.

These Danish cyberbunker people seem to share a mindset with the U.S. Ruby Ridge crowd, and they're both wrong. Making yourself an immobile target and defying state power in a developed nation really only has two outcomes: either you're not enough of a nuisance to provoke action, or you get crushed.

Ruby Ridge crowd? Uhhhmmmm - how many people were in that "crowd" that you refer to? And - the guy didn't make himself an "immobile target" exactly. That's just kinda sorta the thing that happens when you start raising a family. It's tough to raise kids on horseback, or in a Greyhound bus, or whatever.

Except that this bunker has an air reprocessing center. It's a whole underground complex, meant to house a part of NATO's command center in the event of a thermonuclear war.

On the other hand, cutting the network cable would indeed render the criminals inside nice and fluffy, with a self-inflicted prison sentence if they decide to refuse to go out. They already resisted police raids twice, including once by a SWAT team.

I don't think those powerhungry air scrubbers are still online all the time.

And I surely hope that the Cold War independent energy source (probably a small nuclear reactor) was removed, so cutting power should simply work. As soon as the batteries drain, end of story.

But note that the whole SWAT story seems to have Cyberbunker as only source in the linked articles. I wouldn't take their (spamming ddosers they are) word for it.

The whole article regurgitates the vibe that CB wants to spin, it is not a factual description of reality. The main NATO HQ on Dutch soil used to be the Cannerberg (which could house government and parlement), while the said location afaik is only a minor relay station, and the spin seems to borrow facts from more major bases.

The summary makes it sound like the Cyberbunker is a physical location. If so, a wire cutter should cut off it's access to the inter webs.

Interesting that people on Slashdot really think that the DDOS attack is being co-ordinated from hosts housed in the Cyberbunker hosting site. Are people really that out of touch with how botnets and DDOS attacks are managed?

It's just a comparison. With a nuclear war, the target may be destroyed, but there is always going to be collateral damage to innocent around the target. With this attack, it's very powerful (like a nuclear bomb) and it has affected many unrelated, innocent companies/users (like a nuclear bomb).

Shutting off the computer and going outside may work for John Q. Public when his favorite gaming server is experiencing high latency as a result. When your job is to consult to prevent or mitigate this specific att

I find it very interesting that they are using a variation on the Old Smurf attacks for this. Sending a message to other places that work as an amplifier. You would think that after 10 years we would have learned that blind, unchecked, forwarding is not a good thing.

Unfortunately, too many DNS configurations can be used for amplification, because the responses are larger than the queries, especially if you've got new and interesting record types like DNSSEC, and too many ISPs still ignore the Best Current Practices #38 recommendation on blocking spoofed traffic. RPF is your friend.

There's some mitigation out there because the bigger response record types don't always fit in a single UDP packet, so DNS servers may handle them over TCP (which is harder to forge), and ma

I think his point is that the ISPs from where these packets originated should never have allowed those spoofed packets out. And the network backbone of that ISP should never have allowed those spoofed packets to reach the DNS servers. And so forth.

With an operator no doubt facilitating illegal actions of their customers, and refusing to no doubt enfore court orders to disconnect their customers for said actions, couldn't a case be made to disconnect them from THEIR upstream providers because they are now acting illegally but not following court orders, presuming that their upstream providers follow court orders, and the upstream upstream until you get to a legitimate entity. It seems quite an shortcoming of the law that they can act with impunity while allowing their customers to bring down the very fabric of the world wide web.

That's about the start of the online war. Though disconnection was not by court orders, but by spamhaus' actions.

Years ago cyberbunker was already sending out spam. When spamhaus got sick of the actions of cyberbunker, they put A2B internet, the uplink for cyberbunker, on the blacklist in order to force A2B to disconnect cyberbunker. While cyberbunker should have been killed a decade ago, the A2B IP range affected did not send out spam. Spamhaus abused their power to force a (mostly) legal company to discon

The different lists published by Spamhaus distinguish whether the IPs are directly responsible or are organizationally related. There is no abuse of power here — customers subscribe to the lists that they want, and use those lists to block as they see fit. Spamhaus isn't forcing anyone to use the lists, nor is it misrepresenting what's in the lists.

Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so.

From TFA:

Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.
“Dutch authorities and the police have made several attempts to enter the bunker by force,” the site said. “None of these attempts were successful.”

In other words: Cyberbunker is not currently under assault by police, and we have only their word that they ever have been. I suspect that at one time they were successful in having visiting cops think nobody was home by being real quiet and quickly turning off all the lights.

Dutch authorities and the police have made several attempts to enter the bunker by force but failed to do so.

From TFA:

Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.

“Dutch authorities and the police have made several attempts to enter the bunker by force,” the site said. “None of these attempts were successful.”

In other words: Cyberbunker is not currently under assault by police, and we have only their word that they ever have been. I suspect that at one time they were successful in having visiting cops think nobody was home by being real quiet and quickly turning off all the lights.

Why would you turn the lights off? It's very apparent visually, and confirms people are there. I'd leave them alone, people leave some lights on in their house... or bunker, even when absent.

You realize Cyberbunker is situated in a bunker designed to survive a nuclear war [cyberbunker.com]. It was designed to function independently for 10 years. Not sure how long that would work with the servers at full load, but i'd think they could still run their generators for quite some time without interruption.

You realize Cyberbunker is situated in a bunker designed to survive a nuclear war. It was designed to function independently for 10 years. Not sure how long that would work with the servers at full load,

Well, I'd assume to be online they're probably going to have some sort of fiber-optic connection. Even if it's redundant, it's going to plug into the greater infrastructure somewhere and it shouldn't be *too* hard to sever if the police really had a mind to do so.

You realize Cyberbunker is situated in a bunker designed to survive a nuclear war.

You don't have to kill them. Just unplugging their Internet connection would be enough, Then padlock the door and wait till they knock on it and ask to be let out. How long could that be? A week at the outside?

I don't believe the bullshit about then fending off SWAT teams anyway. That's what they say on their own website. No government really cares about spam enough to send in a SWAT team. It's all "protected commercial speech", and plenty of assholes in government are happy to let them do it. If they gave a shit, they know who is DDOSing and exactly where they are. They could arrest them. Freeze their bank accounts. Turn off their electricity, water. But they do nothing.

Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its “many controversial customers.” The company claims that at one point it fended off a Dutch SWAT team.

The only mention of "Dutch authorities and police" comes from the Cyberbunker company itself. The article is badly written, so it's not completely clear (from the context) whether or this claim is related to the current dDOS the company is running. The writer doesn't appear to have talked to anyone in Holland - except perhaps the self-styled spokesman for Cyberpunker.

From the article it suggests that the company was able to defend against there SWAT... can anyone that is fluent in Dutch find an article on that? I've tried looking for it in english but have had no luck. Sounds like quite the story.

Still not sure why authorities didn't break out the fiber seeking backhoe to solve this problem if that company is legitimately holed up in what sounds like a minor siege.

See here [cyberbunker.com] for links to two seperate accounts of attempts at police action. It seems there was a misunderstanding with the local authorities over their use of a hardened bunker as a data center but it was later cleared up. Given they've hosted some torrent sites, I don't find it unreasonable to think these accounts might be accurate. Just ask Kim Dotcom or TPB whether SWAT is out of the question.

Spamhaus must be costing somebody (or some people) a LOT of money to draw such a massive attack.

I admire their balls -- Spamhaus are fighting serious and organised criminals, people who are perfectly capable of raping and murdering folks who get in their way. It wasn't so long ago that the Russian mafia targeted a Russian security specialist by kidnapping his daughter, raping her, injecting her with heroin and selling her into slavery.

They are not very nice people at all, and shouldn't be fucked around with. Picking fights with organised criminals should be left to law enforcement.

So where is the evidence that Cyberbunker has anything to do with this?

I appreciate the things the Spamhaus people do, but they don't exactly have a spotless record when it comes to accurately pointing fingers.

Did you read the article? If you did you would have spotted this:

Questioned about the attacks, Sven Olaf Kamphuis, an Internet activist who said he was a spokesman for the attackers, said in an online message that, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Mr. Kamphuis said Cyberbunker was retaliating against Spamhaus for “abusing their influence.”
“Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”

Item 1: The DDOS began after Cyberbunker IPs were added to the black lists.

Item 2: Cyberbunker have a policy saying that they won't look at your servers and don't care what you do. Pretty much a green-light for spammers.

Item 3: The internet activist stating that the DDOS is in response to the blacklisting.

The circumstantial evidence points towards the attacks as being the result of the action Spamhaus took with respect to Cyberbunker. Its unlikely to be the company themselves, but rather at the instigation of one of their customers. The interesting thing is that you can find reports from 2011 (http://www.theregister.co.uk/2011/10/20/spamhaus_a2b_row/) where Spamhaus say that Cyberbunker were on the blacklist then with no prospect of being removed. What has happened in the meantime?

So in other words, the only evidence you will take is for him to tell you himself, or maybe them putting it on their website would work for you as well....
Since it was a quoted message you can assume that it was his words. The location and type of message does not matter.
At some point you have to either trust that the journalist was professional, or not, up to you.

“Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet,” Mr. Kamphuis said. “They worked themselves into that position by pretending to fight spam.”

I'd rather not have to consult Spamhaus blacklists on my mail servers to block incoming email. I know that if I removed it my bandwidth would be clogged and the amount of work done by my servers to deal with spam would increase many fold. So I use Spamhaus blacklists and it makes me feel dirty. It's the wrong solution to the problem of spam. Surely we should be able to come up with something better.

Spamhaus has been going for 15 years. Look at the other technological advances in that time why don't we have an effective, agreed upon, resolution to the problem of spam? Perhaps the best thing would be for Spamhaus to shut up shop, to stop providing the DNS lists. For mail servers to stop filtering and marking the spam. Let the size of the problem manifest itself. Perhaps then we will get a concerted effort to stop it rather than mitigate the impact.

The answer is to get rid of email and replace it with something secure. The problem is, no one has stepped up to try it. Google Wave had promise in this area. Texting and instant messaging have chipped away at it a bit, but nothing has come out and replaced it.

Email needs end to end encryption along with built in spam prevention. It needs to look and feel like it does now but with all the changes made on the backend as to make the transition for end users seamless.

IF its a DDOS, then losing control of the stupid little robots will not make it stop, they will just be unstoppable. If you want to prevent DDOS, then you need to force ISPs to perform egress filtering of source addresses that are outside of their network. And also implement a choke protocol to inform the ISPs that they have a bad actor on their network.

Yes, but they're prisoners in their own facility. "We will tell LEOs to GTFO!" is fine until you realise that those same LEOs are preventing your shift change, and you forgot to pack 80 extra pairs of skivvies this morning in case you happen to be "on shift" until the bunker doors are unsealed.

The Russian Wikipedia page states it has water and fuel for 10 years. I give them 10 days before cabin fever sets in.

The real question is: what authority did the police have when they attempted entry? If they are just going to execute a search warrant, they can break down the door but they are not authorized (or equipped) to blow it up. They are certainly not authorized to just cut off power or comms to a place of business in case of an ordinary house search. That however could change now that they are involved in a large (and most certainly illegal) DDOS attack. It is not certain when they'll go offline, but this c

It would only hold up for ten years if it was not surrounded and under sustained attack. Yes, it could possibly take a glancing hit from a nuke, but no, it would not stand up very long to some guys with drills and normal demolition charges who had the time to simply drill, demolish or undermine the complex. It would only serve as a fortress hard point if the people inside were armed and there was some hope that allied forces could relieve them in a reasonable amount of time.